From 7e9060c109b928769a664dbcc2c17bd21231b6f3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=B6rn=20Zaefferer?= <joern.zaefferer@gmail.com>
Date: Mon, 26 Nov 2012 10:14:36 +0100
Subject: [PATCH] Dialog: Extract setting the title into a _title method, use
 .text() to prevent XSS. Fixes #6016 - Dialog: Title XSS Vulnerability.

---
 ui/jquery.ui.dialog.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/ui/jquery.ui.dialog.js b/ui/jquery.ui.dialog.js
index 5eb3e2aca..808d31d5b 100644
--- a/ui/jquery.ui.dialog.js
+++ b/ui/jquery.ui.dialog.js
@@ -352,14 +352,21 @@ $.widget("ui.dialog", {
 		uiDialogTitle = $( "<span>" )
 			.uniqueId()
 			.addClass( "ui-dialog-title" )
-			.html( this.options.title || "&#160;" )
 			.prependTo( this.uiDialogTitlebar );
+		this._title( uiDialogTitle );
 
 		this.uiDialog.attr({
 			"aria-labelledby": uiDialogTitle.attr( "id" )
 		});
 	},
 
+	_title: function( title ) {
+		if ( !this.options.title ) {
+			title.html( "&#160;" );
+		}
+		title.text( this.options.title );
+	},
+
 	_createButtonPane: function() {
 		var uiDialogButtonPane = ( this.uiDialogButtonPane = $( "<div>" ) )
 			.addClass( "ui-dialog-buttonpane ui-widget-content ui-helper-clearfix" );
@@ -600,9 +607,7 @@ $.widget("ui.dialog", {
 		}
 
 		if ( key === "title" ) {
-			// convert whatever was passed in to a string, for html() to not throw up
-			$( ".ui-dialog-title", this.uiDialogTitlebar )
-				.html( "" + ( value || "&#160;" ) );
+			this._title( this.uiDialogTitlebar.find( ".ui-dialog-title" ) );
 		}
 	},
 
-- 
2.39.5